Fix issue where if a SCO connection is initiated during an AMP
OBEX transfer the fallback to BR-EDR fails and the OBEX connection
is disconnected.
When moving a channel back to BR-EDR L2CAP must allow for receiving
a Move Channel Response with Pending status before receiving the
Response with Success status.
Change-Id: I017bf607fa8ab5d0d582d61538c9a0e5ec25cd26
CRs-fixed: 341363
Signed-off-by: Peter Krystad <pkrystad@codeaurora.org>
Fix issue where if there are two OBEX connections on an AMP link and one
of them is moved back to BR-EDR (or disconnected) the remaining connection
ceases to transfer any data, times out, and disconnects.
The l2cap_data pointer of the AMP hci_conn structure should not be cleared
whenever an L2CAP channel on AMP is deleted, it should only be cleared
when the last L2CAP channel on the AMP is deleted. This allows multiple
L2CAP channels to be open concurrently on AMP.
CRs-fixed: 344557
Change-Id: Ifb15a7156437a6ab7a7a76c3dae4b1cd901c796f
Signed-off-by: Peter Krystad <pkrystad@codeaurora.org>
Fix issue where the attempt to move a second OBEX connection onto an
AMP link fails and the connection is disconnected.
When handling a Move when there is an existing Best Effort Logical Link
L2CAP must check for the WAIT_MOVE_CONFIRM and WAIT_MOVE_RSP_SUCESS
states when the logical link completes. In these scenarios the logical
link completes before the Move Confirm or Move Response Success is
received and L2CAP must continue to wait for the confirm or response.
CRs-fixed: 344557
Change-Id: I3e0786f780fa48592bb45ec2e81ae1ffa4a6ab80
Signed-off-by: Peter Krystad <pkrystad@codeaurora.org>
When a Bluetooth device is powered down while RFCOMM connections are
open, there are race conditions where RFCOMM tries to use an HCI
connection after the data structures have been deleted. Since the
powerdown procedure runs in process context, it is possible to lock
sockets before accessing them to close connections. This change adds
that locking, which will serialize socket access between processors
during powerdown.
Change-Id: I587720799b35d9ee6e66340bdeda8a2b9e2ea7b5
CRs-fixed: 336893
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
Because traffic between the local GATT client(s) and
remote servers are subject to different controls than
remote clients and the local server, all on the shared
fixed CID, it is important to manage the traffic on
seperate sockets.
Change-Id: I62385143c86522f4b123b32592b69f2a0ae6dc76
CRs-fixed: 336029
Signed-off-by: Brian Gix <bgix@codeaurora.org>
We only support a 23 octet MTU, so auto-respond to all
MTU change requests with the 23 octet response.
Change-Id: Ic69d5f068759d983f8cd98b329acbb9d3a481c49
CRs-fixed: 336025
Signed-off-by: Brian Gix <bgix@codeaurora.org>
Some rebalancing of refcnts due to issues found during testing:
Refcnt was not being released on security completion, if local side
was paired but the remote side had deleted the pairing info, and then
the re-pair failed to complete successfully.
Additionally, the refcnt was not held-released properly if pairing
was initiated due to the client socket being opened with security
level elevated from the start.
Change-Id: I120fed4dc74035d280781ca949a23d4cbcfa3f3e
CRs-fixed: 335993
Signed-off-by: Brian Gix <bgix@codeaurora.org>
An application may call recv() on a disconnected socket if the
connection has unexpectedly dropped. In this case, the socket may
still exist, but it will be in an error state and the L2CAP connection
will be mostly torn down.
A crash was observed when the ERTM code attempted to send an ACK when
the L2CAP connection was not up. If the error state is detected and
ERTM queue processing is skipped, then the crash is avoided and the
recv() call just returns an error in userspace.
CRs-fixed: 336000
Change-Id: I540d774c5d42f0df856b13b6e634e6ba31d86492
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
For every incoming connection, both l2cap_connect_ind and
sco_connect_ind are called. One will always have a mismatched link
type (which is expected), the incoming link will be either L2CAP or
SCO but both connect_ind functions get called anyway. If the incoming
link is an L2CAP link, sco_connect_ind should return 0 so it doesn't
set any mask bits. Similarly, an incoming SCO link should make
l2cap_connect_ind return 0.
CRs-fixed: 336437
Change-Id: I4722d64ef65988d7898b178f05c4e6709ead1362
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
If encryption fails during socket setup, the L2CAP channel should not
be marked as Ready until after re-pairing takes place.
Change-Id: I57a07ae72d4a57584c9367db9a832f4560629ac7
CRs-fixed: 335988
Signed-off-by: Brian Gix <bgix@codeaurora.org>
When doing L2CAP configuration, use the correct retransmit and monitor
timeouts when configuring (or reconfiguring) AMP channels. The host
stack needs to use the timeouts read from incoming configuration
responses, and write appropriate timeouts when sending configuration
responses.
Change-Id: I1271ade93dbfee58a1cac115280704a327e901b2
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
Added Flush Timeout parameter setting for l2cap channel. Bluetooth
profiles using l2cap can set this parameter to flush out the data
when it cannot be sent over the air with in timeout duration.
Change-Id: I60420c5be3a790aff26bc30e8089fdca47a99222
Signed-off-by: Srinivas Krovvidi <skrovvid@codeaurora.org>
When an incoming HCI logical link event came in at the same time
a socket structure was deleted, it was possible to end up with a stale
pointer to the socket. The socket and associated HCI channel struct
need to be properly reference counted so they are not freed
prematurely.
CRs-Fixed: 325023
Change-Id: Ia5724a9ce2000acd60a174c354be04029bac5324
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
Since l2cap_ertm_send() runs in process context, it may be preempted
by incoming data being processed in tasklet context. In order to
avoid race conditions where a packet is acknowledged before the
transmit queue is properly updated, ERTM state should be set up for
the next transmit before the packet is actually sent.
CRs-fixed: 326238
Change-Id: I3df0e93118a357dbd34ff26ad74d7c0c38bf5121
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
In ERTM, the outgoing data queue contains both unsent data and unacked
data, and sk_send_head points to the first unsent packet. When
disconnecting a socket, it's possible for a process to attempt a
socket send while a disconnection is in progress and the outgoing data
queue has been purged. When this purge happens, sk_send_head must also
be set to NULL because the packet it was pointing to has been freed.
Change-Id: I87b37a13583fac705241549dfc492950c7c0ec0b
CRs-fixed: 326238
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
During normal ERTM sends and resends, buffers are copied or cloned.
If the copy/clone fails, take sensible action rather than causing a
kernel panic.
Change-Id: Ib491cfb38dab30014ed08571dbd721dad0cc3714
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
When the connection is not in BT_CONNECTED state it was possible
for code in hci_chan_modify() to attempt to access the hci_chan
structure after it had already been deleted by hci_chan_put().
Change-Id: I5ae352ac12aa3b456e7bcf30633015d98b03e44b
CRs-fixed: 319934
Signed-off-by: Peter Krystad <pkrystad@codeaurora.org>
Default RFC values should use le16 byte ordering. These values are
used only as a fallback when poorly-behaved remote devices do not send
a proper RFC option in an ERTM or streaming configuration response.
Change-Id: I51c9ae892f18229f568b354c92b64e3a8054b619
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
When the logical link disconnects clear the reference to the
l2cap connection before moving the channel. This prevents the
channel from being disconnected before failover to BR-EDR is
complete.
Change-Id: Id55a472a8dac49fbfca4fa47cffea59acf76ed1f
Signed-off-by: Peter Krystad <pkrystad@codeaurora.org>
CRs-fixed: 321202
A well-behaved remote device should always send a reconfiguration and
flow control (RFC) option in the configuration response when using
ERTM or Streaming mode. By using default RFC option values, the
configuration code can avoid using uninitialized data.
Change-Id: I8f9ef687b694d0b34c6d65d40b934bc7946d515e
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
Previously an offset was added to the hci dev number to generate the
AMP controller ID, because it was possible for the PAL to register
as hci0, and 0 is invalid for an AMP controller ID. Since this commit
462bf76d29 it is not possible for
the PAL to register as hci0, so this offset is no longer necessary.
Change-Id: I4b01ddca5fad3aebeb4c138b5aee8819bb146f3d
Signed-off-by: Peter Krystad <pkrystad@codeaurora.org>
In three places a reference was taken without being returned.
Change-Id: I15b9ab7de530a77832d8b10fe756cfdf0b01760f
Signed-off-by: Peter Krystad <pkrystad@codeaurora.org>
A socket can be shut down while pointer to that socket is stored in a
queued skbuff or in a pending workqueue struct. Correct use of socket
reference counting will make sure the socket struct stays around until
there are no remaining references.
Change-Id: Ic3679e023a46b224929b3cefb6370d7871e3368a
CRs-fixed: 313736
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
Before attempting to create a channel directly on an AMP check
that the remote device supports A2MP signalling before starting
the physical link creation process.
Change-Id: Iac2bcebf9630368685e24e636e39ffa82651705d
Signed-off-by: Peter Krystad <pkrystad@codeaurora.org>
Socket lookup for a fixed channel should be done based on both remote and
local device addresses.
Change-Id: I35f39bea8ade6fd5d8695640251efc54bf21beae
Signed-off-by: Inga Stotland <ingas@codeaurora.org>
Timer that was started at beginning of LE Pairing did not correctly
terminate pairing process when it fired, and was not properly cleaned
up on pairing completion.
Signed-off-by: Brian Gix <bgix@codeaurora.org>
During a move collision, both devices start out thinking they are the
initiator. The loser of the collision switches from the initiator role
to the responder role when receiving a move request from the remote
device. However, a move response will also be received by the loser
after the role switch has occurred.
The loser of the collision was incorrectly modifying the AMP move
state in the move response handler. This kept it from sending a move
channel response to the remote device, which stalled the channel move
process.
This change makes sure the AMP move state remains valid, so the
channel move succeeds.
CRs-fixed: 308382
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
An incoming AMP "create channel" connection would trigger an info
request and an AMP physical accept sequence at the same time. Since
accepting an AMP physical link is a local operation, it would complete
quickly and send a config request before the info response was
received.
If there is an outstanding info request, the AMP physical link should
not be accepted yet. Existing logic in l2cap_conn_start() will accept
the physical link when the info response is received.
CRs-fixed: 307243
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
When remote device is connected outside the control of BlueZ, it
needs to be informed of whether the new connection is LE or BR/EDR.
Signed-off-by: Brian Gix <bgix@codeaurora.org>
Enabled ECB Block encoding for Low Energy pairing
Implemented missing components of MGMTOPS interface
Differentiated as needed between BR/EDR pairing and LE pairing
Signed-off-by: Brian Gix <bgix@codeaurora.org>
Conflicts:
net/bluetooth/mgmt.c
Add send and receive of Extended Flow Spec option during L2CAP
lockstep configuration and passing the flow specs to HCI.
Signed-off-by: Peter Krystad <pkrystad@codeaurora.org>
Conflicts:
include/net/bluetooth/hci.h
include/net/bluetooth/hci_core.h
net/bluetooth/l2cap_core.c
The MAXI_EN2 register is no longer owned by the RPM. Add local
control of the VPE and Rotator AXI clocks which are in it.
Signed-off-by: Matt Wagantall <mattw@codeaurora.org>
Fix race condition which can result in missing wakeup during
l2cap socket shutdown.
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Another regression fix considering incomming l2cap connections with
defer_setup enabled. In situations when incomming connection is
extracted with l2cap_sock_accept, it's bt_sock info will have
'parent' member zerroed, but 'parent' may be used unconditionally
in l2cap_conn_start() and l2cap_security_cfm() when defer_setup
is enabled.
Backtrace:
[<bf02d5ac>] (l2cap_security_cfm+0x0/0x2ac [bluetooth]) from [<bf01f01c>] (hci_event_pac
ket+0xc2c/0x4aa4 [bluetooth])
[<bf01e3f0>] (hci_event_packet+0x0/0x4aa4 [bluetooth]) from [<bf01a844>] (hci_rx_task+0x
cc/0x27c [bluetooth])
[<bf01a778>] (hci_rx_task+0x0/0x27c [bluetooth]) from [<c008eee4>] (tasklet_action+0xa0/
0x15c)
[<c008ee44>] (tasklet_action+0x0/0x15c) from [<c008f38c>] (__do_softirq+0x98/0x130)
r7:00000101 r6:00000018 r5:00000001 r4:efc46000
[<c008f2f4>] (__do_softirq+0x0/0x130) from [<c008f524>] (do_softirq+0x4c/0x58)
[<c008f4d8>] (do_softirq+0x0/0x58) from [<c008f5e0>] (run_ksoftirqd+0xb0/0x1b4)
r4:efc46000 r3:00000001
[<c008f530>] (run_ksoftirqd+0x0/0x1b4) from [<c009f2a8>] (kthread+0x84/0x8c)
r7:00000000 r6:c008f530 r5:efc47fc4 r4:efc41f08
[<c009f224>] (kthread+0x0/0x8c) from [<c008cc84>] (do_exit+0x0/0x5f0)
Signed-off-by: Ilia Kolomisnky <iliak@ti.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: David S. Miller <davem@davemloft.net>
Caused by the following commit, partially revert it.
commit 9fa7e4f76f
Author: Gustavo F. Padovan <padovan@profusion.mobi>
Date: Thu Jun 30 16:11:30 2011 -0300
Bluetooth: Fix regression with incoming L2CAP connections
PTS test A2DP/SRC/SRC_SET/TC_SRC_SET_BV_02_I revealed that
( probably after the df3c3931e commit ) the l2cap connection
could not be established in case when the "Auth Complete" HCI
event does not arive before the initiator send "Configuration
request", in which case l2cap replies with "Command rejected"
since the channel is still in BT_CONNECT2 state.
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: David S. Miller <davem@davemloft.net>
PTS test A2DP/SRC/SRC_SET/TC_SRC_SET_BV_02_I revealed that
( probably after the df3c3931e commit ) the l2cap connection
could not be established in case when the "Auth Complete" HCI
event does not arive before the initiator send "Configuration
request", in which case l2cap replies with "Command rejected"
since the channel is still in BT_CONNECT2 state.
Based on patch from: Ilia Kolomisnky <iliak@ti.com>
Change-Id: Ifcffe0124adbbc6d1931389ff7476dd0304d6f51
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
A remote user can provide a small value for the command size field in
the command header of an l2cap configuration request, resulting in an
integer underflow when subtracting the size of the configuration request
header. This results in copying a very large amount of data via
memcpy() and destroying the kernel heap. Check for underflow.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
This adds support for generating and distributing all the keys
specified in the third phase of SMP.
This will make possible to re-establish secure connections, resolve
private addresses and sign commands.
For now, the values generated are random.
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@openbossa.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
The ERTM receive buffer is now handled in a way that does not require
the busy queue and the associated polling code.
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
This change moves most L2CAP ERTM receive buffer handling out of the
L2CAP core and in to the socket code. It's up to the higher layer
(the socket code, in this case) to tell the core when its buffer is
full or has space available. The recv op should always accept
incoming ERTM data or else the connection will go down.
Within the socket layer, an skb that does not fit in the socket
receive buffer will be temporarily stored. When the socket is read
from, that skb will be placed in the receive buffer if possible. Once
adequate buffer space becomes available, the L2CAP core is informed
and the ERTM local busy state is cleared.
Receive buffer management for non-ERTM modes is unchanged.
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
The local busy state is entered and exited based on buffer status in
the socket layer (or other upper layer). This change is in
preparation for general buffer status reports from the socket layer,
which will then be used to change the local busy status.
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Even when the received tx_seq is expected, the frame still needs to be
dropped if the TX window is exceeded or the receiver is in the local
busy state.
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
